Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Who deleted my files
Operating Systems AIX Who deleted my files Post 302564763 by juredd1 on Friday 14th of October 2011 02:17:40 PM
Old 10-14-2011
Who deleted my files
Just looking for some guidance on how to figure out who might have deleted some files off one of my systems.

These files are not root owned files so could be deleted by a handful of folks in the group responsible for these files besides the root users.

Anyway I have been tasked with trying to figure out where they went. I can see from our backup server they were there on Sept. 26th and gone on Sept. 27th. I have tried reviewing the .sh_history file for each user but have just performed a copy of the .sh_history file of each user to a tmp location and then review the files with vi.

I have done this for the root user as well but notice after the copy that the last timestamp in the file is from yesterday. None of the commands I have run today are there. However if I use the fc command they are shown. My concern is that will be the case for the copy of the other users history file but don't have a way to properly format the history file with fc unless I log in as each user. The other issue I have is some uses history file does not appear to go back that far so I am having to restore from the previously mentioned time frame.

Just looking for any thoughts on how to better come up with an answer. Something had to happen to those files but thus far I am coming up empty.

I think I understand that if someone wanted to delete these files and not be found they could edit their own history file. I don't think it's the case of an on purpose delete as the files are still on the source server which they can delete as well. I can get them back from the source server or from backup but just would like to figure out how they got deleted to avoid this questioning from the customer in the future.

Thanks.
 

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Retrieval of deleted files

We have a situation in a large dept of programmers where critical accounting data files were deleted. Is there any way in UNIX to trace deletions and or possibly retrieve the deleted file? (14 Replies)
Discussion started by: cgardiner
14 Replies

2. UNIX for Dummies Questions & Answers

restoring deleted files

I had a user run, by accident, the following line command on our UNIX server: rm -f /usr/* This apparently deleted some needed files on your system. Having very limited knowledge in UNIX, I thought I would ask the group if anyone knows how I can recover these file? The version of UNIX is... (3 Replies)
Discussion started by: mikem
3 Replies

3. AIX

recover deleted files

How to recover deleted files in AIX ? (1 Reply)
Discussion started by: vjm
1 Replies

4. Shell Programming and Scripting

Finding deleted files

One of the files got deleted and i want to find who deleted that file. I think we can get the list using history command. Could you please let me know how to get the list of rm commands from history and who previously logged in and did that? Any other suggestions other than history also... (2 Replies)
Discussion started by: Krrishv
2 Replies

5. UNIX for Dummies Questions & Answers

Retrieving deleted files

I mistakenly deleted a script from the UNIX server. Is there any command i can type that i will retrieve my script? (3 Replies)
Discussion started by: manna
3 Replies

6. Shell Programming and Scripting

how to restore the deleted files

hi, if i delete a file from /home/san/abc.cpp in linux/unix and i want to restore it back how to do that ? (3 Replies)
Discussion started by: mail2sant
3 Replies

7. UNIX for Dummies Questions & Answers

Any way to retrieve deleted files?

:eek: I accidently removed some files using 'rm'. Is there any way to retrieve these files if they were deleted through 'rm'? (1 Reply)
Discussion started by: orahi001
1 Replies

8. UNIX for Advanced & Expert Users

deleted all files - rm *

Hi All, I am using Fedora Core and Windows Xp. I deleted all the files from root directory. When i am trying to restart the computer it showing some grub > prompt. What i will do ? I have lots of data in XP OS. Please help me i used # rm * (8 Replies)
Discussion started by: pritish.sas
8 Replies

9. Linux

Need help with deleted files

Hello. I am having a problem and I was wondering if I could get some help from here. I changed into a directory with the cd command and I wanted to delete a folder and all of its subdirectories, so I went ahead and did a rm --recursive * in my current directory to realize that I was in the wrong... (3 Replies)
Discussion started by: jonnydadesigner
3 Replies

LEARN ABOUT HPUX

deluser.conf

deluser.conf(5)                                                 File Formats Manual                                                deluser.conf(5)

NAME

       /etc/deluser.conf - configuration file for deluser(8) and delgroup(8).

DESCRIPTION

       The file /etc/deluser.conf contains defaults for the programs deluser(8) and delgroup(8).  Each option takes the form option = value.  Dou-
       ble or single quotes are allowed around the value.  Comment lines must have a hash sign (#) at the beginning of the line.

       deluser(8) and delgroup(8) also read /etc/adduser.conf, see adduser.conf(5); settings  in  deluser.conf  may  overwrite  settings  made  in
       adduser.conf.

       The valid configuration options are:

       REMOVE_HOME
              Removes the home directory and mail spool of the user to be removed.  Value may be 0 (don't delete) or 1 (do delete).

       REMOVE_ALL_FILES
              Removes  all files on the system owned by the user to be removed.  If this option is activated REMOVE_HOME has no effect. Values may
              be 0 or 1.

       BACKUP If REMOVE_HOME or REMOVE_ALL_FILES is activated all files are backuped before they are removed. The  backup  file  that  is  created
              defaults  to username.tar(.gz|.bz2) in the directory specified by the BACKUP_TO option. The compression method is chosen to the best
              that is available.  Values may be 0 or 1.

       BACKUP_TO
              If BACKUP is activated, BACKUP_TO specifies the directory the backup is written to. Default is the current directory.

       NO_DEL_PATHS
              A list of regular expressions, space separated. All files to be deleted in course of deleting home  directories  or  deleting  files
              owned  by  the  user  to  be  deleted are checked against each of these regular expressions. If a match is detected, the file is not
              deleted. Defaults to a list of system directories, leaving only /home.

              In other words: By default only files below /home belonging to that specific user are going to be deleted.

       ONLY_IF_EMPTY
              Only delete a group if there are no users belonging to this group. Defaults to 0.

       EXCLUDE_FSTYPES
              A regular expression which describes all file systems which should be excluded when looking for files  of  a  user  to  be  deleted.
              Defaults to "(proc|sysfs|usbfs|devpts|tmpfs|afs)".

FILES

       /etc/deluser.conf

SEE ALSO

       adduser.conf(5), delgroup(8), deluser(8)

Debian GNU/Linux                                               Version 3.116ubuntu1                                                deluser.conf(5)
All times are GMT -4. The time now is 04:02 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy